Facebook is facing a new controversy after some users say they've found records of phone calls and text messages in their personal files, but claim they never granted the social networking site permission to collect the data.

The findings come as Facebook is scrambling to counter perhaps one of the strongest backlashes against it in its 14-year history. The company is facing multiple privacy investigations in the U.S. and U.K. over the leak of personal information pertaining to as many as 60 million Facebook users to voter-profiling firm Cambridge Analytica (see Probes Begin as Facebook Slammed by Data Leak Blowback).

Facebook founder and CEO Mark Zuckerberg pledged last week to improve privacy protections and be more transparent with users. The latest findings, however, suggest a deeper disconnect between what Facebook stores and what users expected the site to gather.

The privacy uproar over Cambridge Analytica has led some users to download their Facebook archive, a rich repository of personal information the site has cataloged. Over the last several days, those archives have yielded data users have found surprising.

Some archives show contact information that Facebook has collected from mobile phone address books. Other information included detailed call logs, such as to whom a call was made for how long and records of SMS messages. The information is metadata - data pertaining to other data, in this case concerning details of transmissions; but it does not include the content of those calls or communications.

Permission Granted?

Facebook maintains that it has always asked for permission for that kind of information, but some users say they never granted permission. The situation gained steam after a tweet last Wednesday from Dylan McKay, a software developer and student in Wellington, New Zealand.

He found call logs for every chat he had with his partner's mother between 2016 and last year. McKay has created an informal survey that's so far gathered about 1,000 responses on what type of metadata people have found in their Facebook archives.

McKay's tweet prompted others to dig around their Facebook archives. Emma Kennedy, a London-based author, writes on Twitter that she never granted permission for Facebook to collect the data she found.

I've just looked at the data files I requested from Facebook and they had every single phone number in my contacts. They had every single social event I went to, a list of all my friends (and their birthdays) and a list of every text I've sent.

"They have plundered my phone," Kennedy writes in another tweet. "They have phone numbers of people who aren't on Facebook. They have phone numbers of household names who, I'm sure, would be furious to know their phone numbers are accessible. I'm appalled."

Only Android Affected

It appears the surprise call logs are only showing up for Facebook users on Android devices. Apple has never allowed developers access to call logs or SMS data on iOS, in large part for security reasons, but it does allow access to the address book. Apple officials in Sydney did not have an immediate comment.

Facebook addressed the latest controversy in a blog post on Sunday. The logging of calls and text history has been an opt-in feature in Messenger since 2015 and in Facebook Lite.

Facebook Lite was launched in 2015. It's aimed at developing markets and uses less data than the full-fledged app. The company only made it available last week to users in the U.S., Canada, Australia, United Kingdom, France, Germany, Ireland and New Zealand.

Suspicion Centers on Android Messenger App

It doesn't appear that the people who are complaining that their contacts have been uploaded to Facebook and calls logged would have been able to use Facebook Lite. Hence by process of elimination, that appears to make Facebook's Messenger app the culprit.

Facebook asserts that users have always been asked for their permission. Aside from other technical explanations that have yet to emerge, that means if Facebook's characterization is accurate, forgetful memories may have fueled an unjustified outcry.

However, the publication Ars Technica suggests a different possible scenario, rooted in Android's historical permissions settings, may have occurred.

The Google-developed Android operating system allows users to give permissions to apps for certain functions. When someone downloads an app, the app asks if it is allowed to access certain data or functionality, such as a phone's camera or microphone, contacts or other information.

Over the years, as some apps became more aggressive or deceptive and security concerns emerged, Android began offering more fine-grained access permissions. But in versions of Android 4.1 and prior, granting access to a phone's contacts list also granted access to call and message logs by default, Ars reports.

That means that Facebook - when asking for contacts information - could have also received the call and SMS metadata. The permission structure, however, was changed in version 16 of the Android API.

But Ars Technica reports that Android apps could get around the change by writing to the old version of the API. The old version of the API, 4.0, was only deprecated in Android last October, it adds.

When asked about the Ars Technica report, Facebook maintains that it has always asked for permission to log call and text history even if Android did not. The company provided screen shots of the current advisories that are displayed by Android after Messenger is installed.

These are the current advisories displayed by Android after someone installs Facebook's Messenger.

While the Android advisory windows do describe some of the behaviors that Messenger would be allowed to do with contacts, calls and SMS messages, it doesn't state that the data will be stored on Facebook's servers. However, Facebook is more direct in its advisory.

The feature is headlined "Text anyone in your phone" and then says it will "continuously upload info about your contacts like phone numbers and nicknames, and your call and text history."

Facebook's disclosure in Messenger

Questions Remain

ISMG asked Facebook if Ars Technica's theory is the reason for why users are surprised, and also asked if Facebook could clarify how it asked for permissions for past versions of the full Facebook mobile app and Messenger, but it did not receive a reply.

Asking for access to a mobile phone's address book is common among app developers because it is used to match a new user with other people they know and who use the same app. The key in this situation, however, is whether Facebook has been clear enough with users over how much data it has been collecting.

In its blog post, Facebook says it does not share call or SMS metadata with third parties.

It is possible for users to delete contacts data the social network has collected. Also, in Messenger, users can turn off a menu item that continuously uploads new contact information to the company.

Facebook also says it is possible to turn off the setting that syncs a person's call and text history. But the instruction included in the blog post is specific only to Facebook Lite.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.